feat: add experimental rust validation middleware

[lucarlig]

✨ Feature / Enhancement PR

🔗 Epic / Issue

No linked issue.

---

🚀 Summary (1-2 sentences)

Adds an experimental opt-in Rust implementation for mcpgateway/middleware/validation_middleware.py that moves the validation hot path into a compiled PyO3 extension while preserving Python fallback behavior when the extension is unavailable.

---

🧪 Checks

• make lint passes
• make test passes
• CHANGELOG updated (if user-facing)

---

📓 Notes (optional)

This branch was benchmarked in two ways against the Python baseline. Focused validation numbers below were refreshed on 2026-04-24 after the latest review fixes.

1. Focused validation microbenchmark
   This benchmark isolates the validation middleware hot path and measures validation cost directly on representative payload shapes. It is useful for showing the Rust validator speedup without unrelated framework overhead.

Scenario	What is being tested	Python median	Rust median	Speedup
resource_path	Allowed-root resource path validation	0.031 ms	0.012 ms	2.51x
parameter_batch	Batched path/query parameter validation	0.005 ms	0.002 ms	2.53x
response_sanitization	Control-character removal from response body	0.052 ms	0.011 ms	4.84x
response_sanitization_safe	Safe ASCII response body sanitizer fast path	0.025 ms	0.006 ms	4.52x
small_safe	Small safe JSON payload	0.003 ms	0.001 ms	2.93x
first_field_reject	Early rejection of dangerous content	0.002 ms	0.002 ms	1.14x
unicode_safe_long	Long safe Unicode-heavy string validation	0.014 ms	0.005 ms	2.63x
nested_safe	Large nested safe JSON payload traversal	0.335 ms	0.033 ms	10.09x
deep_nested	Deep nested JSON traversal and depth-safe validation	2.424 ms	0.340 ms	7.13x
dangerous_string	Rejection of dangerous content in JSON strings	1.025 ms	0.092 ms	11.09x
mixed_params_json	Request path combining parameter checks with JSON validation	0.003 ms	0.001 ms	2.55x

2. End-to-end validation benchmark
   This benchmark uses Locust against /protocol/initialize with validation enabled and a validation-heavy mix of accepted and rejected JSON payloads. It exercises the real FastAPI request path, including request parsing, auth, middleware validation, and route handling.

Scenario	What is being tested	Python median	Rust median	Python RPS	Rust RPS	Latency speedup	Throughput gain
safe-large	Accepted large initialize payload through the full request path	180 ms	160 ms	244.94	255.95	1.12x	1.04x
rejected-large	Rejected large initialize payload returning 422 through the full request path	110 ms	100 ms	82.09	86.99	1.10x	1.06x
aggregated	Combined accepted and rejected validation-heavy traffic	160 ms	150 ms	327.03	342.94	1.07x	1.05x

The end-to-end run was executed in production-mode validation semantics so rejected payloads were actually blocked instead of only logged.

No ADR added because this remains an experimental opt-in implementation behind a feature flag and does not change the default architecture.

---

Refs #1807

[lucarlig]

check if anything from #4204 applies to changes here

[lucarlig]

new CF-DATAPLANE will sove this